Friday, 28 June 2013

It was standing room only in Parliament’s Committee Room 11 yesterday
afternoon. People had packed the place to learn more about PRISM and what ought
to happen next. Most of these people were Open Rights Group members, though. I
saw 2 MPs and a couple of Parliamentary
researchers together with some well respected journalists who were also covering the event.

What did we learn?

First, that Parliamentarians knew nothing about PRISM (and
the Tempora project) other than what they had read in the papers. Second, that
they felt they were unlikely to learn anything of significance from the Foreign Office or
from ministers.This sort of operational
stuff is not for them. Such matters are
usually considered by the Intelligence and Security Committee, members of which
are appointed by the Prime Minister, and the Committee reports directly to the
Prime Minister.

It is the sort of stuff, however, that the independent
privacy researcher Caspar Bowden knows a lot about, and he gave the audience a short
lecture on what it is, why cloud computing providers ought to be concerned, and
why businesses might increasingly look away from the UK and to other countries,
particularly Germany, as a safe harbour for their commercial data assets in
future. How do you fight cybercrime and protect privacy in the cloud? Ask Caspar,
who will point you in the direction of a number of reports he has helped
compile.

As David Davies MP started to speak, it became pretty clear
to me that, despite his well known views on the issue, no-one from the Home
Office has given him a private briefing about the cunning plans that are being
hatched behind the scenes to improve the current scrutiny procedures. Quite why
no-one from the Home Office has managed to correct his misconceptions about the
current scrutiny procedures is a mystery. I can only conclude that there is a deliberate
campaign to keep him in the dark.

Anyway, David warmed up by criticising the current RIPA safeguards,
exclaiming that it’s been apparent that there are pretty poor protective
measures in place. He commented that “the man at the desk next door” will readily
approve applications for communications data, while a judicial figure would more
closely scrutinise each request. He ended with with a flourish: “Parliament
ought to rip up RIPA and start again.”

If anyone from the Home Office had managed to brief him in the
past six months or so, he would have realised that what is being proposed in the
revised (and so far unpublished) version
of the Communications Data Bill is, effectively, a complete re-write of the relevant
parts of RIPA. There are plans for a radical
ramp up of the regulation of the law enforcement authorities that seek
communications data. I won’t say any more, otherwise I’ll feel a need to take
refuge in a country that welcomes people like Edward Snowden and Julian
Assagne.

I can end on an upbeat note. I left Parliament yesterday
with a couple of bottles of House of Commons triple distilled Speaker Bercow’s
vodka. Produced in the heart of Cheshire, and bottled by G & J Greenhall, it’s
a smooth spirit with no heavy oil aftertaste. Marvellous! It's just the stuff that Parliament should be selling. Order some from your local MP
today.

Thursday, 27 June 2013

I’ve found a great website that lists the data breaches that
have been removed from the ICO’s enforcement pages.

I am greatly indebted to a chum who read yesterday’s blog
and kindly gave me the address of Breach Watch, a website site operated by John
Elliott.

Breach Watch lists all formal action in response to data
breaches taken by the Information Commissioners Office and the Financial
Services Authority (recently split into the Financial Conduct Authority and the
Prudential Regulation Authority).

Currently, visitors can browse over 260 reports of regulatory
action. Updates are usually posted on a weekly basis.

So, if you need to review any FSA enforcement action from
2007 to 2012, or any ICO Undertakings, Enforcement Notices or Monetary Penalty
Notices since 2007, you now know where to look.

As John explains, it’s a great site for people who want to
learn from other’s misfortune, understand what the regulators are concerned
about and get a better understanding of what constitutes appropriate technical
and organisational measures. It’s also a great resource for trainers who need
examples of real cases to spice up training sessions and internal reports.

And John also makes the following points:

"Over 40% of the undertakings and monetary penalties listed here were the result of the loss or theft of unencrypted data, typically on a memory stick or unencrypted laptop.

Over 50% were the result of insufficient training or education of staff, typically relating to insecure use of personal data, such as transferring it to an unencrypted storage device - notice the strong theme about unencrypted, portable data. Many of these principles also relate to the security of the physical documents.A major point to appreciate is that in the majority of cases the insufficiently secure data was simply lost as a result of human error - it was the failure to prepare for such an event, rather than the loss of the item itself, that was the issue and the cause of the regulatory action.

In the case of theft it is extremely rare that the data was stolen for its own value, but rather was stolen alongside something else, such as a laptop or a bag containing physical records. Encryption of data in advance is important to prevent access to this data and minimise the danger posed by such unfortunate events.Ensuring that staff are sufficiently trained in key data protection principles and that encryption policies are actually followed would protect against the primary danger of accidental loss, the most common cause of a breach threat."

This is seriously good stuff, and I commend this website to
all responsible data protection folk.

Wednesday, 26 June 2013

How should a data controller respond to the question “Has the
organisation ever been subject to action by the Information Commissioner
regarding complaints and or enforcement notices?”

Should
a ”Rehabilitation of ICO Offenders Act” should be created, to set the
expectations of people who ask such question? After all, if an ex-offender can’t be
questioned about their criminal convictions after a certain period, perhaps
similar standards ought to apply to those who have fallen foul of the folk in
Wilmslow.

A
quick glance at the ICO enforcement site provides some clues to the answer. If
you want to learn who’s been told to stand on the ICO’s naughty step, then this
is a good place to start. The good news is that it lists no details of ICO prosecutions
before June 2011, Enforcement Notices before December 2011, or Undertakings
before May 2011. But it does list all Decision Notices since February 2005, all
Monetary Penalty Notices (ie those awarded since it was given powers February
211) and all PECR breaches (ie those awarded since it was given powers in July
2011).

However,
even though the old prosecutions, Enforcement Notices and Undertakings no
longer appear on the ICO’s Enforcement Pages, details can still be found if
you’ve a rough idea of what you’re looking for. Thanks to the mighty internet
search engines (and the sterling efforts of a number of journalists and firms of solicitors), details and occasionally
comments about old enforcement actions can readily be found all over cyberspace.

Should
a responsible data controller take the ICO’s lead, and assume that it is
obliged to reveal details of enforcement actions when they are also available on
the ICO enforcement site, but once they have been removed they can forget about
having been on the ICO’s naughty step?

Some
would suggest that it’s unfair to expect an ex-offender to be required to
reveal information that the Regulator has decided is no longer worthy of
mention on the Regulator’s own website.

I’ve
had a look at the ICO’s own policy on “Communicating Enforcement Activities” to
see if that provided any useful guidance. A policy document was published in
January 2010 and contained a commitment that the policy would be reviewed in a
2011. However, it’s not clear if the review took place – and if it did, whether
anything changed.

On the assumption that it has not changed, then (a
slightly condensed version of) the ICO’s policy for communicating enforcement
and regulatory activities is as follows:

“The default assumption is that we are likely to publicise
enforcement and regulatory activities:

If it’s already a news story. We would probably
also publicise the fact we’re investigating in these circumstances.

Where there’s an opportunity for
education/prevention.

If it’s new, extreme, a first etc (standard news
criteria).

If it meets a communications, corporate or
information rights objective.

If it would help an investigation to publicise
it.

If there are aggregate stories showing trends
etc.

Where publicity is likely to deter others.

Where publicity would be in the public interest.

We are not likely to publicise enforcement and regulatory
activities:

When releasing information could prejudice a
trial.

When an investigation is underway (and it could
be hindered by publicity, or the investigation may come to nothing)

When we have several similar cases and time or
news constraints mean we have to choose.

If it is too dull or technical to make the news.

Where we would breach S59 of the Data Protection
Act.

Preliminary notices

More suited to aggregate story, unless there is
an overriding public interest to publicise it, all parties agree, if it was
already in public domain, or if there is a regulatory need.

Undertakings

We will publicise undertakings depending on news
value and/or if there is a need to address public concerns.

Where they relate to section 55 and are given by
individuals in lieu of possible prosecution they will normally be put on our
website in an anonymised form.

Undertakings will normally be kept on our website
for two years.

Prosecutions

We may inform journalists in advance.

We will adhere to contemporaneous reporting
rules.

We may issue a news release.

In some cases we’ll provide the case summary to a
journalist.

We will report on prosecutions in our Annual
Report to Parliament. This also goes on our website and will normally be kept
on our website for three to four years.

Cautions

We may publicise cautions depending on news
value.

More suited to aggregate story.

Enforcement Notices

We will publicise these depending on news value.

Enforcement notices will be put on our website
and reviewed after two years.

Injunction application

More suited to an aggregate story.

Application for Enforcement order

We may publicise these depending on news value.

Inspection

If publicity is desired, we will work with the
relevant authority on communicating international inspections.

Information Notice

We are likely to publicise if it’s in the public
domain.

We may
publicise if it helps the investigation.

We are likely to publicise if there’s an expectation
of an update or we need to show we have taken action.

Search warrant

We will publicise these in aggregate (eg in the
annual report).

We may publicise if it helps the investigation.

We are likely to publicise if it’s in the public
domain.

We are likely to publicise if there’s an
expectation of an update or we need to show we have taken action.

Penalties

We will not normally publicise the notice of
intent to serve a monetary penalty. This is more suited to aggregate story,
unless there is an overriding public interest to publicise it, all parties
agree, if it was already in public domain, or if there is a regulatory need.

We will publicise the serving of a monetary penalty.

Given that the internet hardly ever forgets, I think it’s
safe to assume that once a data controller finds themselves on the ICO’s
naughty step, people aren’t going to forget about it for a very long time. So
it might as well come clean about all of its past misdeeds, just in case
someone carries out an internet search and unearths material that leads them to
suspect that there has been a cover- up.

There ought certainly be to a right to forgive. I’m just not
sure how we can actually enforce a right
to forget.

Tuesday, 25 June 2013

An interesting new survey from our chums at Big Brother Watch
shows just how differently European citizens feel about their online privacy,
even though the privacy laws around Europe are broadly the same.

Of course the laws are not identical. But they’re not hugely
different. Most of the differences are administrative in nature and are of
limited interest to anyone other than the data protection anoraks.

But what is surprising is how much people’s attitudes to
privacy varies – and I’ve been wondering whether identical European privacy
laws (which is what those promoting a Regulation want) would alter attitudes to
privacy to the extent that the citizens thought more along the same lines.

And I really doubt it.

The chart I’ve shown today comes from a
survey, recently carried out for Big Brother Watch by that reputable research organisation,
ComRes. People were asked: “How
concerned, if at all, are you about your privacy online?”

Evidently, Spanish people are most concerned about their
privacy online, while Germans are the least concerned. The chart indicates
whether respondents have no opinion (grey); are not at all concerned (dark
green); not very concerned (light green); fairly concerned (pink); or very
concerned (red).

But does this chart actually tell us much? I’d be happy to
bet that it would look pretty similar if the question had been changed to: “How
concerned, if at all, are you about your national economy?”

Are we to take it, from these statistics, that a generation
of Spanish and French regulators have done an awful job to uphold decent
privacy standards in their respective countries, and that only concerted action
from the Commission can save Europe from a privacy catastrophe?I think not.

Instead, what I think the survey is shows us is that there
are different cultural attitudes towards privacy, despite the work that
regulators have done to encourage and cajole data controllers to improve their
data handling standards. The current rules have, after all, been in place for a
mighty long time.

So, in my humble opinion, people have views on privacy that derive
more heavily from national cultures than on the basis of national laws.

And if, as is my view, a European Regulation is unlikely to result in
a narrowing of European attitudes towards privacy, then not a lot will be lost
if there is no Regulation.

Monday, 24 June 2013

Last week I mentioned that I had a cunning plan to increase
the prominence of the recently appointed Surveillance Camera Commissioner.I wondered what I could do to ensure that the
data protection community gets to know him a little better.

I reported that I
would start by inviting him to a forthcoming meeting of the Data
Protection Forum and the National Association of Data protection
Officers, to give him a public platform where the most pressing issues
on his agenda can be explored by professionals who are keen to understand just
what it is that concerns him.

Well, I’ve had a very nice reply from Andrew Renisson,
discussing his availability for the next few dates that DPF/NADPO members
have set for their meetings.

He also advised me that his term of office as Surveillance Camera
Commissioner will end next February, by which time he will have completed two
terms as the Forensic Science Regulator and both posts have to be
re-advertised.

Well, it would be a shame for him to leave the surveillance post
so soon after being appointed to it. Perhaps he will re-apply.

Does anyone else plan to apply for the post?

If they do, and if appointed, feel like introducing
themselves to the data protection community at a joint DPF/NADPO meeting next
March, then please get in touch.

Thursday, 20 June 2013

Earlier today, I joined the throng of data protectors
clamouring for a good seat in Westminster’s Central Hall, where a healthy
smattering of the usual suspects had assembled for the launch of the ICO’s
latest annual report.

For some of us, it was to be the second time we had heard
Christopher Graham today. The first time was before breakfast, live on Radio
4’s “Today” programme, where he was asked to comment on whether ‘data
protection’ prevented the Quality Care Commission from naming senior managers
apparently involved in a decision to destroy a QCC report criticising its inspections of University Hospitals of
Morecambe Bay NHS Foundation Trust, where a number of mothers and babies died.
No it doesn’t, in case you didn’t already know. And last
night, just before bedtime, Jeremy Paxman had been praising his wise pronouncements on the same issue
on BBC2’s “Newsnight” programme.

Now, he was with us
in person, complete with a whizzy Prezipresentation that really puts my trusted Power
Point slides in their place.No lights,
smoke, mirrors or a platform. Just an hour of explanations about how his office
enforces, educates, empowers, enables, encourages, and is both effective and
efficient . Yes, this was an “E-Annual report”. Parliament got the only
printedcopy. The rest of us will
henceforth rely on the electronic version (or a pdf document which is available
from the ICO’s website).

What did we hear
that was new?

“We are not an
arm of Government” quoth the Commissioner.

“But you are an
arm of the state” mumbled a member of the awkward squad, seated nearby.

“Local government
is making a pig's ear of data protection at the moment”quoth the Commissioner. (Presumably he was referring
to the amount of enforcement action that had been taken against wayward local authorities, but no-one asked him just what he meant.)

“2013 will be the
year that organisations realise the commercial imperative of handling customer
data properly” quoth the Commissioner. Well, let’s hope so.

Private discussions
among many guests before and after the main event focused on the prospects of a
Regulation being agreed by the European Parliament and the Council of Ministers
by this time next year. According to my (occasionally reliable) source, it seems that a
deal is being hatched that might just about get agreed by our political masters.
But, if the European Commission really is determined to get a Regulation next
year, then it is likely that the only Regulation that could be agreed would be
a simple instrument that introduces a European Data Protection Board, to better
co-ordinate the work currently carried out by the Article 29 Working Party.
Everything else (which means all the contentious stuff) will need to be put off
for another time.

So, If European Commissioner
Reding wants to stand on some podium next year, as she did last January when
launching the document containing that bunch of words cobbled together to form
the text of the draft Regulation, to proclaim once again “Ladies and Gentlemen,
we have done it,” then the only thing that might have got done is the thing
that many of us didn’t express much of an opinion on, anyway.

Over lunch, another
commentator mused on the way the data protection community was poised to shoot
itself in the foot. Here is a great example of a wide range of people who
essentially want to do good, but being incapable of agreeing what “good”
actually meant, they sadly explained.

As far as I’m
concerned, the near hysterical atmosphere in which “negotiations” are currently
being carried out, with somestakeholders
playing to the gallery rather than intent on reaching a deal, really makes me
wonder how differently a new round of discussions will need to be managed for
there to be any chance of success next time, either.

Perhaps new faces
are required at the negotiating tables.

Perhaps, too, I
had better start crafting a lament about the demise of an unloved, fussy colleague.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.